A firewall is only as good as its logging capability. It is only by going through the log that we can see what is being blocked and what is not. Proxmox comes with a custom service named pvefw-logger, which is based on the netfilter logging daemon. The sole purpose of this service is to log a connection activity based on the set firewall rules. Through the firewall's Options tab, we can set logging at various levels of verbosity. There are eight levels of logging available for the iptable-based firewall. The following table shows the iptable logging levels and their availability in the Proxmox firewall:
|
Log Level |
Type |
|
|
Level 0 |
Emergency |
Available in Proxmox |
|
Level 1 |
Alert |
Available in Proxmox |
|
Level 2 |
Critical |
Available in Proxmox |
|
Level 3 |
Error |
Available in Proxmox |
|
Level 4 |
Warning |
Available in Proxmox |
|
Level 5 |
Notice |
Not available in Proxmox |
|
Level 6 |
Info |
Available in Proxmox |
|
Level 7 |
Debug |
Available in Proxmox |
In addition to these levels, Proxmox also has the nolog option. This disables all logging for a resource. The log level info is used the most, as it logs all the good and bad connections. This way, we can see exactly what is being blocked and allowed. However, the info log level also creates many log entries in a very short period of time. As a good rule of thumb, always select some form of logging when enabling a firewall.